Microsoft’s TechEd North America conference, which was held this week in New Orleans, provided a first glimpse of the architecture that Microsoft shops should use to manage employee personal devices for work duties, an emerging IT trend called bring your own device (BYOD).

“We’ve built a solution to manage your devices where they live,” said Brad Anderson, Microsoft’s corporate vice president of Windows Server and System Center, during the keynote at TechEd. System administrators will “get a consistent experience to manage PCs and devices in one console, one set of capabilities, and not separate infrastructures.”

By the end of this year, organizations will be able to use a set of Microsoft products to permit their workers to use their personal devices—including non-Windows mobile devices such as Apple iOS-based iPhone and iPads and Android devices—to access company applications, data and other resources. Company administrators can apply full management policies to these devices, at least in how these devices interact with the organization’s resources.

“If you have a Windows PC, you can join it to the domain and control it in a pretty deep way,” said Andrew Conway, a Microsoft director of product marketing, in a follow-up interview. “But as we move to this new paradigm of people using different mobile devices, we’re bringing a lot of new capabilities not only against Windows 8, Windows RT and Windows Phone 8, but also against iOS and Android.”

Mobile access

During the TechEd keynotes Monday, Molly Brown, principal development lead at Microsoft, demonstrated how someone could access an internal SharePoint site and work folders from a nonwork Windows 8.1 device, thanks to a new feature in Windows Server 2012 R2 called “Workplace Join.” Over time, Microsoft will offer this sort of access to iOS devices as well.

Brown also showed how users can register their mobile devices with the workplace, which will provide them with the ability to download data and company apps written for their device platforms. This will work on Windows 8.1, iOS and—after Microsoft finishes developing a device agent—Android as well. When the employee leaves the organization, all the work assets can be wiped from the personal device, while keeping the nonwork assets untouched.

Staying Intune

Over the course of the week, more details came out at TechEd about how organizations could make this happen. They’d need the latest versions of Windows Server 2012 R2, System Center R2—most notably the System Center’s Configuration Manager—and Microsoft’s Intune computer management service.

The use of Intune is unusual given that it is a diversion from the service’s original purpose, to supply small businesses and organizations with many branch offices with an easy way to maintain their work computers with updates and bug fixes. Now, Microsoft is also pressing the service into a secondary use of providing a gateway for personal mobile devices used for work duties outside the firewall.

“We did go through a little bit of a shift” with Intune, Conway admitted. Currently, about 35,000 organizations use Intune. Microsoft chose to use Intune because it predicts that most employees would connect their devices to work resources through the Internet, rather than through the company’s internal network, Conway said. In Configuration Manager, Intune shows up as “just another site server in your infrastructure,” Conway said.

Anticipating this shift in usage, Microsoft in December changed the pricing of Intune from a per-device model to a per-user mode, understanding that people often have more than one device. Each employee can register up to five devices through the service.

In a nutshell, an organization can subscribe to the Intune service and it will provide a console for the organization’s copy of System Center Configuration Manager. Configuration Manager is used to update and manage applications and operating systems across a corporate network. It also allows administrators to set management policies for devices, such as the required length of passwords.

Managing devices

Configuration Manager also comes with a user portal, which will allow employees to easily find and download applications that they would need for their jobs. The portal customizes itself to show only those apps that can run on the type of device that is being used—iOS users would only see iPhone and iPad apps, for instance. Apps can be made available both from the organization itself, as well as from app stores for the platform. The portal also provides buttons for users to expunge all the corporate data and apps.

To prepare to manage these devices, the organization would replicate online its Active Directory compendium of user accounts and devices using Microsoft Online Directory Services (MSODS). Then, the devices themselves would connect to Intune and register, using the same employee log-in credentials that have been assigned to gain entry to corporate networks. Organizations would also need to get digital certificates for each device being registered. Apple provides this service, and Microsoft relies on certificates from Verisign.

Microsoft has even tried this approach in-house. Late last year, the company set up mobile device support for 98,000 employees and 80,000 contractors, according to a technical session at TechEd given by Microsoft engineers Arun Ramakrishnan and Marc Hurley. The engineers expect that over time, more than 125,000 of these workers will register their own personal mobile devices.

The vast majority of these devices were either Windows Phones or Windows RT devices, though a few Microsoft employees and contractors confessed to using Apple iOS devices. They didn’t build in support for Android devices because very few Microsoft workers admitted to using them, at least for work purposes.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.